On Wed, 09 Sep 2015 09:23:44 +0200 Benny Pedersen <m...@junc.eu> wrote:
> i would run "strings vbaProject.bin" and make clamav signature based > on it ClamAV is totally useless. Here's a trick: Macro viruses must define a subroutine called "Document_Open" So finding the string "Document_Open" case-insensitively in an MS Office file is a red flag. If you don't find it directly, use unzip -p (the so called "pipe mode") to look for that same string case-insensitively in the more modern MS Office files, which are really just zip files in disguise. There will be some false-positives because some legitimate MS Office files (boooo....) auto-execute macros on document open, but IMO the danger posed by macro viruses makes the tradeoff worth it. Regards, Dianne.
